VYPR
← All advisories
High severity8.2NVD Advisory· Published Apr 2, 2026· Updated Apr 16, 2026

CVE-2026-34725

CVE-2026-34725

Description

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in DbGate's icon rendering allows script execution, escalating to RCE in Electron due to insecure configuration; patched in v7.1.5.

CVE-2026-34725 is a stored cross-site scripting (XSS) vulnerability in DbGate, a cross-platform database manager. The issue resides in the icon rendering path: packages/web/src/icons/FontIcon.svelte treats any icon string starting with <svg as inline SVG and renders it with {@html iconValue} without sanitization [2]. This applicationIcon field is loaded from app definitions and passed unsanitized to the UI, creating a stored XSS sink [2][3].

An attacker who can create or modify an app definition can set a malicious applicationIcon containing arbitrary JavaScript. When another user views a matching database or app entry, the payload executes in that user's session [2]. The impact is particularly severe in the Electron desktop application because it uses nodeIntegration: true and contextIsolation: false [2]. This configuration allows XSS payloads to access Node.js and Electron APIs, enabling remote code execution (RCE) [2][3].

In the web UI, the vulnerability permits cross-session script execution, while in the Electron app it can lead to full local code execution [2][3]. An example payload involves embedding an <img> tag with an onerror handler within the SVG icon string [2].

The vulnerability affects DbGate versions from 7.0.0 to before 7.1.5. It has been patched in version 7.1.5 [4]. Users are strongly advised to upgrade to the latest version to mitigate the risk [1][4].

References
  1. GitHub - dbgate/dbgate: Database manager for MySQL, PostgreSQL, SQL Server, MongoDB, SQLite and others. Runs under Windows, Linux, Mac or as web application
  2. Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
  3. NVD - CVE-2026-34725
  4. Release v7.1.5 · dbgate/dbgate

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dbgate-webnpm
>= 7.0.0, < 7.1.57.1.5

Affected products

2
  • Dbgate/Dbgatereferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: >=7.0.0, <7.1.5

Patches

1
a7d2ed11f3f3

SYNC: Merge pull request #86 from dbgate/feature/icon-vulnerability

https://github.com/dbgate/dbgateJan ProchazkaMar 23, 2026via ghsa
commit
2 files changed · +5 1
  • packages/web/package.json+1 0 modified
    @@ -70,6 +70,7 @@
     "date-fns": "^4.1.0",
     "debug": "^4.3.4",
     "dom-to-image": "^2.6.0",
+    "dompurify": "^3.3.2",
     "flatpickr": "^4.6.13",
     "fuzzy": "^0.1.3",
     "highlight.js": "^11.11.1",
  • packages/web/src/icons/FontIcon.svelte+4 1 modified
    @@ -26,6 +26,8 @@
 </script>
 
 <script>
+  import DOMPurify from 'dompurify';
+
   export let icon;
   export let title = null;
   export let padLeft = false;
@@ -34,6 +36,7 @@
   export let colorClass = null;
   $: iconValue = typeof icon === 'string' ? icon : icon?.light || icon?.dark || '';
   $: isSvgString = iconValue.trim().startsWith('<svg');
+  $: sanitizedSvg = isSvgString ? DOMPurify.sanitize(iconValue, { USE_PROFILES: { svg: true, svgFilters: true } }) : '';
   $: isTextIcon = iconValue.trim().startsWith('text ');
 
   const iconNames = {
@@ -379,7 +382,7 @@
 
 {#if isSvgString}
   <span class="svg-inline" class:padLeft class:padRight {title} {style} on:click data-testid={$$props['data-testid']}>
-    {@html iconValue}
+    {@html sanitizedSvg}
   </span>
 {:else if isTextIcon}
   {@const textIconParts = iconValue.trim().split(' ')}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.